Last Friday, Epsilon, an email marketing firm that serves approximately 2,500 clients and sends about 40 billion marketing messages for clients annually, reported that someone hacked into its computer system and stole an unknown number of e-mail addresses and names. The scale of the problem became clearer over the weekend and by Monday, some of the nation’s largest banks and corporate brand names began alerting their customers to be on the lookout for fraudulent emails.
Fraudsters now have access to names and active email accounts, coupled with information about which particular brands individuals have relationships with. Having access to this kind of data is like a gold mine for these scammers, not only opening the door to an increase in spam and phishing attacks, but also to spear phishing and other targeted attacks on customers who expect communications from these brands.
The complete impact of the Epsilon breach remains to be seen, but brands, especially those impacted by the attack, ought to proactively monitor for additional scams targeting their customers. A response and communications plan (e.g. the Online Trust Alliance’s 2011 Data Breach & Loss Incident Readiness Guide provides best practices and sample notification letters) should be ready for promptly shutting down such scams and notifying customers, in case an Epsilon domino effect becomes reality.